Q&As

Do I need consent to process the personal data of existing and new clients—law firms?

read titleRead full title
Published on LexisPSL on 29/05/2018

The following Risk & Compliance Q&A provides comprehensive and up to date legal information covering:

  • Do I need consent to process the personal data of existing and new clients—law firms?
  • Processing non-sensitive personal data
  • Sensitive (special category) personal data

Whether you need consent to process the personal data of existing and future clients depends what data you are processing, why and how.

Processing non-sensitive personal data

Consent is only one of the bases on which you can lawfully process data under the General Data Protection Regulation (GDPR). You should always consider whether an alternative lawful basis for processing personal data exists. There are five alternatives in Article 6 of the GDPR, ie processing is necessary:

  1. for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract

  2. for compliance with a legal obligation to which you are subject

  3. to protect the vital interests of the data subject or another natural person

  4. for the performance of a task carried out in the public interest or in the exercise of official authority vested in you

  5. for the purpose of the legitimate interests pursued by your firm or a third party, except where your interests are overridden by those of the data subject

Precedent: Privacy policy—law firms and professional services is intended to maximise the scope of non-consent-based processing. The table below (taken from the drafting notes to that precedent) sets out common processing operations frequently included in the privacy policy of law firms and considers whether consent is required—or whether

Popular documents